The sigmoidal growth of operating system security vulnerabilities: An empirical revisit

• The paper replicates a sigmoidal growth model for software vulnerability trends.
• The model is connected to technology diffusion, reliability, and life cycle models.
• The empirical sample covers 69 operating system products from Microsoft and Red Hat.
• The results are confirmatory, but the connection to reliability remains ambiguous.
• The results also reveal that major and minor releases do not differ systematically.

Purpose. Motivated by the calls for more replications, this paper evaluates a theoretical model for the sigmoidal growth of operating system security vulnerabilities by replicating and extending the existing empirical evidence. Approach. The paper investigates the growth of software security vulnerabilities by fitting the linear, logistic, and Gompertz growth models with nonlinear least squares to time series data that covers a number of operating system products from Red Hat and Microsoft. Results. Although the fitted models are not free of statistical problems, the empirical results show that a sigmoidal growth function can be used for descriptive purposes. The paper further shows that a sigmoidal trend applies also to the number of software faults that were fixed in the Red Hat products. Conclusion. The paper supports the contested theoretical growth model. The few discussed theoretical problems can be used to develop the model further.